WireLurker Mac OS X Malware Shut Down

Researchers at Palo Alto Networks discovered a new family of Mac OS X malware that was capable of also infecting iOS devices. The command infrastructure supporting WireLurker has been shut down.

WireLurker is no more.

After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

“WireLurker is gone,” said Ryan Olson, intelligence director at Palo Alto. “What’s important about this attack is the precedent it set by some new techniques presented in this attack that were actually pretty effective.”

The ultimate goal of the WireLurker attacks, which were limited to China, is unknown but the malware was capable of stealing system information and data stored on mobile devices. Other personal information such as credentials or banking transactions was spared.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.

Palo Alto says this is the biggest scale threat to OS X ever seen; the malware was in its third iteration already, and it was the first malware to infect installed iOS apps in the same way as a traditional virus would. Most worrisome is its ability to beat non-jailbroken iOS devices, doing so by installing Trojanized applications signed with a legitimate enterprise digital certificate.

The attackers did so by using a likely stolen legitimate certificate from a Chinese enterprise participating in Apple’s iOS Developer Enterprise Program. The program allows iOS application developers access to iOS developer libraries and other resources and distribute homegrown signed iOS apps to users via an enterprise provisioning profile, rather than uploading it to the Apple App Store. Apple has since revoked the certificate used by WireLurker from Hunan Langxiong Advertising Decoration Engineering Co. Ltd.

While WireLurker was relatively benign and currently under wraps, with hundreds of thousands of infected in the wild, the potential for future damage is there.

“This was widely distributed,” Olson said. “There are lots of infected Macs out there and someone is certainly going to find one and reverse engineer it to understand how works and possibly launch their own attacks.”

Palo Alto has been researching WireLurker since June 1 when it was reported to them by a developer at Tencent, a Chinese Internet service portal, who found suspicious files and processes running on his Mac and iPhone. Palo Alto researcher Clau Xiao soon put all the pieces together after similar reports of strange applications and enterprise provisioning profiles showing up on non-jailbroken iPhones and iPads began popping up on Chinese developer and Apple forums. The link between all the users, Palo Alto learned, was Maiyadi. The security company said almost all of the 467 infected Mac OS X were uploaded to the Maiyadi app store between April 30 and June 11; all were Trojanized and repackaged with WireLurker.

Three of the top 10 downloaded Mac OS X apps on the store were downloaded 20,000 times each; the app titles include The Sims 3, International Snooker 2012, Pro Evolution Soccer 2014, Angry Birds and NBA 2K13.

Palo Alto said the attackers were not hosting the malware on Maiyadi servers, instead on cloud storage services hosted by Huawei and Baidu. Once a victim downloads an infected app on OS X and runs it, the malware drops a number of executables, libraries and configuration files before the app runs; the apps, Palo Alto said, perform as expected. Launch daemons dropped by WireLurker manage communication with a command and control server located in Hong Kong and hosted at www[.]comeinbaby[.]com. Only the third and most current version has deployed custom encryption to secure communication with command and control; the first two versions handled this in plain text, Palo Alto said.

Another launch daemon attacks iOS devices over USB, monitoring for connections between iOS and Mac OS X and then determining jailbreak status by trying to connect to AFC2 or Apple File Conduit which allows root access to the device. If it exists, the malware knows the device is jailbroken and behaves one way. If non-jailbroken, a repacked malicious iOS app is installed from backup and signed with the legitimate certificate. The iOS apps are installed to the device through the same iTunes protocol used for legitimate apps. On jailbroken devices, the Trojan will also inject malicious code into system applications and will query all contacts, phone numbers and Apple IDs on the device and send them to the command and control server.

The Trojan evolved quickly, Palo Alto said. Version A, generated on April 30, consisted of just the original malicious files used to Trojanize Mac OS X apps on Maiyadi. Version B appeared on May 7 and distributed through the WireLurker command and control infrastructure. It was the first to download and install malicious iOS apps, but only for jailbroken devices. In August, Version C appeared and it contained malicious iOS apps for jailbroken and non-jailbroken iOS devices and was the first to encrypt C&C communication.

Two processes are always running on computers and mobiles infected with WireLurker, Palo Alto said. One checks for updates with C&C, and the other is available for downloading additional IPA iOS application archive files and monitoring for connections over USB.

Palo Alto has observed only the once command and control server, which hosts code updates, iOS apps, processes reports on WireLurker status, accepts uploads of stolen data and device information from both platforms.

“What we have here is likely a really talented bunch of Mac and iOS developers who probably have not developed a lot of malware in the past and didn’t understand a lot about evading detection,” Olson said. “They were trying things out and had success. Their motivation is unclear yet, but we might find out more.”

Suggested articles